Vulnerability detected - textbox with bind but disabled - chrome debugger opens backdoor

asked 2023-02-15 01:20:12 +0800

holos gravatar image holos
41 6


one of our creative tester found the following:

we have a textbox which is typically bound to a variable:


<textbox value="@bind(vm.input)" />

Sometimes we dynamically need to set this textbox to disable="true".


private Textbox input;

Now one can open the (Chrome) debugger and just remove the disabled from

<input id="o4hEy" class="z-textbox z-textbox-disabled" value="" type="text" disabled>

and voilà - the field takes input and the input is sent to the server.

I tried a lot to suppress the value send - but found no proper solution.

Please advise.

P.S.: Rendering a label instead or checking something on the setter side is no option as we do all of this stuff highly dynamically.

delete flag offensive retag edit

1 Answer

Sort by » oldest newest most voted
link publish delete flag offensive edit


Thanks, hawk.

This did the trick :-)

holos ( 2023-02-16 04:27:46 +0800 )edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools




Asked: 2023-02-15 01:20:12 +0800

Seen: 9 times

Last updated: Feb 15 '23

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More